Home > The Newbie Zone > Questions and Answers

No idea what this code means... Help? (3)

07-26-2017 07:48 PM #1 br5110 (Member)
No idea what this code means... Help?

Hi guys, just cleaning up a ripped lander and came across the following script. Total newbie at this kind of stuff, so if someone could help me out, I would be eternally grateful.

<script>
var link2 = 'url';

var _0x80a9=["\x43\x6F\x6E\x73\x74\x72\x75\x63\x74\x6F\x72","\x 69\x6E\x64\x65\x78\x4F\x66","\x63\x61\x6C\x6C","\x 74\x6F\x53\x74\x72\x69\x6E\x67","\x70\x72\x6F\x74\ x6F\x74\x79\x70\x65","\x61\x73\x73\x69\x67\x6E","\ x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x5F\x62\x6C\x61 \x6E\x6B","\x6F\x70\x65\x6E","\x68\x6F\x73\x74","\ x6C\x69\x66\x65\x61\x64\x76\x69\x63\x65\x64\x61\x6 9\x6C\x79\x2E\x63\x6F\x6D","\x6D\x65\x64\x69\x63\x 61\x6C\x68\x65\x61\x6C\x74\x68\x61\x64\x76\x69\x73 \x6F\x72\x2E\x63\x6F\x6D","\x61\x63\x6B\x6C\x2E\x6 3\x6F","\x63\x6C\x69\x63\x6B\x74\x72\x61\x66\x66\x 69\x63\x32\x31\x2E\x63\x6F\x6D","\x6D\x61\x78\x63\ x6C\x69\x63\x6B\x32\x31\x2E\x63\x6F\x6D","\x72\x61 \x6E\x64\x6F\x6D","\x68\x72\x65\x66","\x68\x74\x74 \x70\x3A\x2F\x2F\x6C\x69\x66\x65\x61\x64\x76\x69\x 63\x65\x64\x61\x69\x6C\x79\x2E\x63\x6F\x6D\x2F\x62 \x69\x62\x6C\x69\x63\x61\x6C\x2D\x62\x65\x6C\x6C\x 79\x2D\x62\x72\x65\x61\x6B\x74\x68\x72\x6F\x75\x67 \x68\x2F\x74\x65\x61\x73\x65\x72\x2F\x64\x69\x72\x 65\x63\x74\x2E\x70\x68\x70\x3F\x73\x69\x64\x3D","\ x6F\x74\x68\x65\x72\x2E\x68\x74\x6D\x6C","\x4F\x74 \x68\x65\x72\x20\x50\x61\x67\x65","\x72\x65\x70\x6 C\x61\x63\x65\x53\x74\x61\x74\x65","\x68\x69\x73\x 74\x6F\x72\x79","\x63\x75\x72\x72\x65\x6E\x74\x2E\ x68\x74\x6D\x6C","\x43\x75\x72\x72\x65\x6E\x74\x20 \x50\x61\x67\x65","\x70\x75\x73\x68\x53\x74\x61\x7 4\x65","\x70\x6F\x70\x73\x74\x61\x74\x65","\x55\x5 2\x4C","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x 73\x74\x65\x6E\x65\x72"];var isSafari=Object[_0x80a9[4]][_0x80a9[3]][_0x80a9[2]](window.HTMLElement)[_0x80a9[1]](_0x80a9[0])> 0;function launchnewwindow(){setTimeout(function(){url= link2;document[_0x80a9[6]][_0x80a9[5]](url);if(isSafari){window[_0x80a9[8]](link2,_0x80a9[7])}},1000);return false}var speed=window[_0x80a9[6]][_0x80a9[9]];var d1=speed[_0x80a9[1]](_0x80a9[10])> -1;var d2=speed[_0x80a9[1]](_0x80a9[11])> -1;var d3=speed[_0x80a9[1]](_0x80a9[12])> -1;var d4=speed[_0x80a9[1]](_0x80a9[13])> -1;var d5=speed[_0x80a9[1]](_0x80a9[14])> -1;var _0xc9d4=["\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\ x65\x6E\x65\x72","\x61\x74\x74\x61\x63\x68\x45\x76 \x65\x6E\x74","\x6F\x6E","\x6C\x6F\x61\x64","\x6D\ x6F\x75\x73\x65\x6F\x75\x74","\x65\x76\x65\x6E\x74 ","\x72\x65\x6C\x61\x74\x65\x64\x54\x61\x72\x67\x6 5\x74","\x74\x6F\x45\x6C\x65\x6D\x65\x6E\x74","\x6 E\x6F\x64\x65\x4E\x61\x6D\x65","\x48\x54\x4D\x4C", "\x64\x69\x73\x70\x6C\x61\x79","\x73\x74\x79\x6C\x 65","\x6D\x6F\x64\x61\x6C\x2D\x63\x6F\x6E\x74\x61\ x69\x6E\x65\x72","\x67\x65\x74\x45\x6C\x65\x6D\x65 \x6E\x74\x42\x79\x49\x64",""];var hasExitPopBeenDisplayed=false;function addEvent(_0xfc05x3,_0xfc05x4,_0xfc05x5){if(_0xfc05 x3[_0xc9d4[0]]){_0xfc05x3[_0xc9d4[0]](_0xfc05x4,_0xfc05x5,false)}else {if(_0xfc05x3[_0xc9d4[1]]){_0xfc05x3[_0xc9d4[1]](_0xc9d4[2]+ _0xfc05x4,_0xfc05x5)}}}addEvent(window,_0xc9d4[3],function(_0xfc05x6){addEvent(document,_0xc9d4[4],function(_0xfc05x6){_0xfc05x6= _0xfc05x6?_0xfc05x6:window[_0xc9d4[5]];var _0xfc05x7=_0xfc05x6[_0xc9d4[6]]|| _0xfc05x6[_0xc9d4[7]];if(!_0xfc05x7|| _0xfc05x7[_0xc9d4[8]]== _0xc9d4[9]){if(!hasExitPopBeenDisplayed){document[_0xc9d4[13]](_0xc9d4[12])[_0xc9d4[11]][_0xc9d4[10]]= _0xc9d4[14];hasExitPopBeenDisplayed= true}}})});

</script>

07-27-2017 09:15 AM #2 manu_adefy (Veteran Member)

First thing you should do when you have such a thing is go to http://jsbeautifier.org/ or something similar and "beautify" the code, so you see the whole thing better:

var link2 = 'url';

var _0x80a9 = ["\x43\x6F\x6E\x73\x74\x72\x75\x63\x74\x6F\x72" , "\x 69\x6E\x64\x65\x78\x4F\x66", "\x63\x61\x6C\x6C", "\x 74\x6F\x53\x74\x72\x69\x6E\x67", "\x70\x72\x6F\x74\ x6F\x74\x79\x70\x65", "\x61\x73\x73\x69\x67\x6E", "\ x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x5F\x62\x6C\x61 \x6E\x6B", "\x6F\x70\x65\x6E", "\x68\x6F\x73\x74", "\ x6C\x69\x66\x65\x61\x64\x76\x69\x63\x65\x64\x61\x6 9\x6C\x79\x2E\x63\x6F\x6D", "\x6D\x65\x64\x69\x63\x 61\x6C\x68\x65\x61\x6C\x74\x68\x61\x64\x76\x69\x73 \x6F\x72\x2E\x63\x6F\x6D", "\x61\x63\x6B\x6C\x2E\x6 3\x6F", "\x63\x6C\x69\x63\x6B\x74\x72\x61\x66\x66\x 69\x63\x32\x31\x2E\x63\x6F\x6D", "\x6D\x61\x78\x63\ x6C\x69\x63\x6B\x32\x31\x2E\x63\x6F\x6D", "\x72\x61 \x6E\x64\x6F\x6D", "\x68\x72\x65\x66", "\x68\x74\x74 \x70\x3A\x2F\x2F\x6C\x69\x66\x65\x61\x64\x76\x69\x 63\x65\x64\x61\x69\x6C\x79\x2E\x63\x6F\x6D\x2F\x62 \x69\x62\x6C\x69\x63\x61\x6C\x2D\x62\x65\x6C\x6C\x 79\x2D\x62\x72\x65\x61\x6B\x74\x68\x72\x6F\x75\x67 \x68\x2F\x74\x65\x61\x73\x65\x72\x2F\x64\x69\x72\x 65\x63\x74\x2E\x70\x68\x70\x3F\x73\x69\x64\x3D", "\ x6F\x74\x68\x65\x72\x2E\x68\x74\x6D\x6C", "\x4F\x74 \x68\x65\x72\x20\x50\x61\x67\x65", "\x72\x65\x70\x6 C\x61\x63\x65\x53\x74\x61\x74\x65", "\x68\x69\x73\x 74\x6F\x72\x79", "\x63\x75\x72\x72\x65\x6E\x74\x2E\ x68\x74\x6D\x6C", "\x43\x75\x72\x72\x65\x6E\x74\x20 \x50\x61\x67\x65", "\x70\x75\x73\x68\x53\x74\x61\x7 4\x65", "\x70\x6F\x70\x73\x74\x61\x74\x65", "\x55\x5 2\x4C", "\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x 73\x74\x65\x6E\x65\x72"];
var isSafari = Object[_0x80a9[4]][_0x80a9[3]][_0x80a9[2]](window.HTMLElement)[_0x80a9[1]](_0x80a9[0]) > 0;

function launchnewwindow() {
setTimeout(function() {
url = link2;
document[_0x80a9[6]][_0x80a9[5]](url);
if (isSafari) {
window[_0x80a9[8]](link2, _0x80a9[7])
}
}, 1000);
return false
}
var speed = window[_0x80a9[6]][_0x80a9[9]];
var d1 = speed[_0x80a9[1]](_0x80a9[10]) > -1;
var d2 = speed[_0x80a9[1]](_0x80a9[11]) > -1;
var d3 = speed[_0x80a9[1]](_0x80a9[12]) > -1;
var d4 = speed[_0x80a9[1]](_0x80a9[13]) > -1;
var d5 = speed[_0x80a9[1]](_0x80a9[14]) > -1;
var _0xc9d4 = ["\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\ x74\ x65\x6E\x65\x72", "\x61\x74\x74\x61\x63\x68\x45\x76 \x65\x6E\x74", "\x6F\x6E", "\x6C\x6F\x61\x64", "\x6D\ x6F\x75\x73\x65\x6F\x75\x74", "\x65\x76\x65\x6E\x74 ", "\x72\x65\x6C\x61\x74\x65\x64\x54\x61\x72\x67\ x6 5\x74", "\x74\x6F\x45\x6C\x65\x6D\x65\x6E\x74", "\x6 E\x6F\x64\x65\x4E\x61\x6D\x65", "\x48\x54\x4D\x4C", "\x64\x69\x73\x70\x6C\x61\x79", "\x73\x74\x79\x6C\x 65", "\x6D\x6F\x64\x61\x6C\x2D\x63\x6F\x6E\x74\x61\ x69\x6E\x65\x72", "\x67\x65\x74\x45\x6C\x65\x6D\x65 \x6E\x74\x42\x79\x49\x64", ""];
var hasExitPopBeenDisplayed = false;

function addEvent(_0xfc05x3, _0xfc05x4, _0xfc05x5) {
if (_0xfc05 x3[_0xc9d4[0]]) {
_0xfc05x3[_0xc9d4[0]](_0xfc05x4, _0xfc05x5, false)
} else {
if (_0xfc05x3[_0xc9d4[1]]) {
_0xfc05x3[_0xc9d4[1]](_0xc9d4[2] + _0xfc05x4, _0xfc05x5)
}
}
}
addEvent(window, _0xc9d4[3], function(_0xfc05x6) {
addEvent(document, _0xc9d4[4], function(_0xfc05x6) {
_0xfc05x6 = _0xfc05x6 ? _0xfc05x6 : window[_0xc9d4[5]];
var _0xfc05x7 = _0xfc05x6[_0xc9d4[6]] || _0xfc05x6[_0xc9d4[7]];
if (!_0xfc05x7 || _0xfc05x7[_0xc9d4[8]] == _0xc9d4[9]) {
if (!hasExitPopBeenDisplayed) {
document[_0xc9d4[13]](_0xc9d4[12])[_0xc9d4[11]][_0xc9d4[10]] = _0xc9d4[14];
hasExitPopBeenDisplayed = true
}
}
})
});
What I can see is that it's doing a lot of the standard scripts (alert, vibration, back button) but the information is encoded, so you don't see the link where it redirects to, what text it shows, etc.

var _0x80a9 - this is also an array of things he will use instead of normal text to do simple statements. For example, \x43\x6F\x6E\x73\x74\x72\x75\x63\x74\x6F\x72 is decoded to Constructor using this tool: http://ddecode.com/hexdecoder/.

Solution - Delete everything there and replace with your scripts. Alternatively, manually translate all that and edit, though that is very time intensive and not sure you can automate it easily without knowing exactly what they did to encode everything.

07-27-2017 07:44 PM #3 br5110 (Member)

Awesome, thanks for the help man.

Home > The Newbie Zone > Questions and Answers